From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id DC5934C4CB for ; Sun, 3 Aug 2025 18:09:12 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id C4FD268C1FB; Sun, 3 Aug 2025 21:09:08 +0300 (EEST) Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id E8268687EB0 for ; Sun, 3 Aug 2025 21:09:01 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id DE89F44367 for ; Sun, 3 Aug 2025 18:09:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1754244541; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=K1+rYKXt3BC4FsrwrlRbePIwQ5An2MPdKkdd1ATDnHc=; b=ZkpIzMqXT0sq1/S/316KG466kgCbxqArvMAEuuyZmZfBQ8gsaNalMRQyul5DjOvNQskyBs N2trjXIUOdrz399Fu0yU0i607FsLtVvKRGUlrm6msJmpS5SiAI9Pev20RNe80qwFYdp2qO 4b9pa0tHDyQbeGD/B9q5lGExsxDnYWCpfORBWPxMoR06/QCmi8akV8HpSy6nDNyi17/NF3 L7uXe5zd4gCn6NdTX+UiAc/YeBygjWQkO67rAuOHDp07Sbx1wnQhogybHnQ1rqsl0gMOkD 5b3NBSao6WbCLYv434X5XmWS7H1nFJQpqAVFIa/BF1McsdQWlfqnxVfQokQPaw== Date: Sun, 3 Aug 2025 20:08:58 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20250803180858.GD29660@pb2> References: <20250803153139.GC29660@pb2> <58fc1346-0f07-4f50-ac70-709d341b74a6@rothenpieler.org> MIME-Version: 1.0 In-Reply-To: <58fc1346-0f07-4f50-ac70-709d341b74a6@rothenpieler.org> X-GND-State: clean X-GND-Score: -85 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdduuddtudefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdduhedmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpeeugfeluefhvdeitdefkeeluddtieeiieehfeefteeufeetgfffleeljeeiieekgfenucffohhmrghinheplhhkmhhlrdhorhhgnecukfhppeeguddrieeirdeihedrudejieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeguddrieeirdeihedrudejiedphhgvlhhopehlohgtrghlhhhoshhtpdhmrghilhhfrhhomhepmhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtpdhnsggprhgtphhtthhopedupdhrtghpthhtohepfhhfmhhpvghgqdguvghvvghlsehffhhmphgvghdrohhrgh X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] rebasing security X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============2608772310807550173==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============2608772310807550173== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="5iQ+b4mvd/cIfFpQ" Content-Disposition: inline --5iQ+b4mvd/cIfFpQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi On Sun, Aug 03, 2025 at 05:38:26PM +0200, Timo Rothenpieler wrote: > On 8/3/2025 5:31 PM, Michael Niedermayer wrote: > > Hi > >=20 > > The "on server rebase" process that we are using with forgejo looks a b= it insecure > >=20 > > Previously we wrote code, discussed and then signed and pushed > > In this setup the code coming from a developer is not manipulatable > > because noone else can sign it > > Even if its not signed, stuff would light up if the > > server suddenly changed your pushed commits, as local and > > remote would not match > >=20 > > The current workflow is to create a merge request and up to that we > > are good. > >=20 > > The problem, the code is then sometimes rebased on the server, this rem= oves > > all signatures and allows arbitrary changes to happen. And that is, aft= er > > all reviews. > >=20 > > in the ML based system, a supply chain attack would have to hit author = and > > all reviewers. > > With webapp rebasing a point after the reviews can introduce a change s= tealthy > >=20 > > The solutions are obvious: > > 1. ignore security and supply chain attacks > > 2. use merges not rebases on the server > > 3. rebase locally, use fast forward only > > 4. verify on server rebases > >=20 > > whats the oppinon of people about merging instead of rebasing ? > > Theres also non security arguments in favor of merges: > > https://lkml.org/lkml/2008/2/12/627 > >=20 > > That said, i think "verify on server rebases" is possible, just not > > something i have heard off before. > >=20 > > am i missing something ? > >=20 > > thx > >=20 >=20 > I can change the setting from "Rebase and merge to FF Only", though that > would be very tedious to deal with for everyone involved. that would be "3." in my list and yes it would be tedious, I think the main question is about the 2./4. options (or if iam missing something) >=20 > Forgejo can keep commit signatures intact if proper keys are configured f= or > the users. Forgejo certainly should have its own key to sign commits it generates. But it cannot have any individual developers private key. thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Concerning the gods, I have no means of knowing whether they exist or not or of what sort they may be, because of the obscurity of the subject, and the brevity of human life -- Protagoras --5iQ+b4mvd/cIfFpQ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCaI+ltgAKCRBhHseHBAsP q78sAJ0UuYAFL9eZeCzq7v0ouZIOYdtRdQCfbhJ3Xb0YlSXmiI7hrAU8Ko7jIt4= =rDrH -----END PGP SIGNATURE----- --5iQ+b4mvd/cIfFpQ-- --===============2608772310807550173== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============2608772310807550173==--